Description of the new Memory Pressure Protection feature for TCP stack

This article describes a new Memory Pressure Protection feature for TCP stack. This new feature is provided by security update 967723.

The Memory Pressure Protection feature consists of three security settings. These settings include Memory Pressure Protection (MPP), Profiles, and Port Exemption.

The MPP setting

The MPP setting defines the feature, and it includes the following two activities when an attack is detected:

• Kill the existing TCP connections.
• Drop incoming SYN requests.

An administrator can enable or disable the MPP setting by using netsh commands. When the administrator enables or disables the MPP setting, this feature is enabled or disabled.

The Profiles setting

The Profiles feature helps the administrator differentiate between public and nonpublic interfaces. If an interface can access the domain controller, it indicates that the interface is domain-joined or that the administrator can configure an interface to be private. The Profiles feature is available only in Windows Vista and in Windows Server 2008.

The Profiles setting determines the ability of the computer to kill TCP connections and to drop incoming SYN requests on the domain-joined interface and on the private interface when the computer is under attack with low memory. On Windows Server 2003, an administrator is required to use registry entries to disable the MPP feature on a particular interface. For more information, see the "Configuring these settings in Windows Server 2003" section. By default, the Profiles setting is enabled. When this setting is enabled, the administrator has decided not to kill TCP connections or to drop SYNs on the domain-joined interface and on the private interface under any circumstances. If the administrator wants to kill TCP connections and drop SYNs on the domain-joined interface and on the private interface when under attack, the Profiles setting must be disabled.

Note If the MPP setting is enabled and an attack is detected, the administrator cannot stop killing connections on public interfaces even if the Profile setting is enabled. The Profiles setting feature is targeted for domain-joined and private interfaces. However, in these cases, an administrator can use the Port Exemption setting to exclude certain ports on public interfaces from MPP action.

The Port Exemption setting

The Port Exemption setting enables the administrator to make port-specific exceptions. By default, when the MPP setting is enabled, the Memory Pressure Protection feature is enabled for connections on all the ports. If an attack is detected, the existing connections may be killed or incoming SYNs may be dropped, based on the MPP and Profiles settings. However, an administrator can set exceptions for connections on certain ports by specifying them in the port exception list.

Notes

• The Port Exemption list is a single global list and applies to all interfaces and IP addresses.
• The Port Exemption setting comes into effect before any TCP connection is established on the port. We recommend that you configure all settings that are related to MPP before you start the server applications.

Default values for these settings on the servers and on the clients

Note If these settings are changed, and an administrator wants to revert to the default settings, the administrator can use the following netsh command: Note See the "Known issues" section before you use the netsh int tcp reset command.

Configuring these settings in Windows Vista

An administrator can use netsh commands to update the MPP, Profiles, and Port Exemption settings at run time. These settings determine whether a TCP connection is a candidate for pruning or not. This evaluation is performed when the Transmission Control Block of that TCP connection is created, depending on the settings at that time.

• netsh int tcp reset
  Resets the security settings together with the other TCP settings. These security settings include the MPP, Profile, Port Exemption, and connection rate-limiting settings.
  
• netsh int tcp show security
  Displays the currently-applied security settings for MPP, Profiles, and port exemptions, if any.
  
• netsh int tcp set security mpp=[enabled|disabled|default]
  Toggles the MPP settings.
  
• netsh int tcp set security Profiles=[enabled|disabled|default]
  Toggles the Profiles setting.
  
• netsh int tcp set security startport=<x> numberofports=<y+1> mpp=[enabled|disabled|default]
  Specifies the port exemptions for the port range from x to x+y. You should make sure that x and x+y are in the valid port range (0 - 65535).
  
  Examples
  • Add a port range exemption:
    Type the following command at command prompt, and then press ENTER:
    netsh int tcp set security startport=5000 numberofports=10 mpp=disabled
    This command disables the MPP feature for ports 5000 to 5009 (both inclusive).
    
    
  • Delete a port range exemption:
    Type the following command at command prompt, and then press ENTER:
    netsh int tcp set security startport=5000 numberofports=10 mpp=enable
    This command deletes the exemption entry that was added in the first example.
    
    Note Overlapping port ranges and sub-ranges are not handled by the netsh int tcp set security command.

Configuring these settings in Windows Server 2003

In Windows Server 2003, you have to configure these settings by using the registry.

Configuring the MPP setting in Windows Server 2003

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

To enable or disable the MPP setting, use the following registry entries.
Note The following registry entries are not available by default. You must create them to modify them. Although the registry entries are not present, the MPP setting is enabled by default, and no port is exempted.

• Internet Protocol version 4 (IPv4):
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableMPP
  
  
• Internet Protocol version 6 (IPv6):
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\EnableMPP
  
  

For example, you could follow these steps to disable the MPP setting on IPv4:

1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type EnableMPP, and then press ENTER.
5. Right-click EnableMPP, and then click Modify.
6. In the Value data box, type 0, and then click OK.
7. Exit Registry Editor.
8. Restart the computer.

Notes

• If you want to re-enable the MPP setting, set the DWORD value for the EnableMPP registry entry to 1, and then restart the computer.
• You can follow these same steps to configure the following registry entry for the MPP setting on IPv6:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\EnableMPP

Configuring the MPP setting for a particular interface in Windows Server 2003

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

Note By default, on Windows Server 2003, the MPP feature is enabled on all interfaces.

To enable or disable the MPP setting for a particular interface, use the following registry subkeys:

• IPv4:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\<GUID>\DisableMPPOnIF
• IPv6:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip6\Parameters\Interfaces\<GUID>\DisableMPPOnIF

For example, you could follow these steps to disable the MPP setting for a particular interface on IPv4:

1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\<GUID>
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type DisableMPPOnIF, and then press ENTER.
5. Right-click DisableMPPOnIF, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Exit Registry Editor.
8. Restart the computer.

Note You can follow these same steps to configure the following registry subkey for the MPP setting for a particular interface on IPv6:

Configuring the Port Exemption setting in Windows Server 2003

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

To specify the port exemptions for the port range from x to y, use the following registry entries:

• IPv4:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MPPExcludedPorts
• IPv6:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\MPPExcludedPorts

For example, you could follow these steps to specify the port exemptions for the port range from xxxx to yyyy on IPv4:

1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
3. On the Edit menu, point to New, and then click Multi-String Value.
4. Type MPPExcludedPorts, and then press ENTER.
5. Right-click MPPExcludedPorts, and then click Modify.
6. In the Value data box, type the port range in xxxx-yyyy format (for example 5000-5010), and then click OK.
7. Exit Registry Editor.
8. Restart the computer.

Notes

• You must specify the port range in xxxx-yyyy format, where xxxx and yyyy are in the valid port range. The range is inclusive of the start values and the end values.
• You can follow these steps to configure the following registry subkey for the Port Exemption setting on IPv6:
  
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\MPPExcludedPorts
• There is a limit of 12 port ranges that can be specified in this list. Additional ranges will be ignored, and exemptions are not applied.

Known issues

• On Windows Vista SP2 and on Windows Server 2008 SP2, the connection rate limit is affected by the netsh int tcp reset command.
  
  Before you install this security update, the netsh int tcp reset command resets the TCP settings. This includes Chimney parameters, Explicit Congestion Notification (ECN), Receive Window Auto-Tuning, Compound TCP (CTCP), and timestamps. After you install this security update, the netsh int tcp reset command also resets the security settings, including MPP, Profiles, and connection rate-limiting settings. Even if MPP and Profiles settings are expected, resetting the connection rate-limiting setting also happens at run time. To set the connection rate-limiting again, you have to modify the registry subkey. For more information about the connection rate-limiting setting, click the following article number to view the article in the Microsoft Knowledge Base:
  969710

  (http://support.microsoft.com/kb/969710/ )

  How to enable the half-open TCP connections limit in Windows Vista with Service Pack 2 and in Windows Server 2008 with Service Pack 2
• In Windows Server 2003, if you install security update 967723 and then install IPv6, the event log contains information that resembles the following information for IPv6 Event ID 4229:
  The description for Event ID 4229 from source Tcpip6 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  
  If the event originated on another computer, the display information had to be saved with the event.
  
  The following information was included with the event:
  
  the message resource is present but the message is not found in the string/message table
  To resolve this issue, you have to reinstall the update or add the following registry subkeys manually:
  • In Windows Server 2003 SP2, add the string %systemroot%system32\w03a3409.dll under
    HKLM\System\CCS\Services\eventlog\System\tcpipv6\EventMessageFile
  • In Windows Server 2003 SP1, add the string %systemroot%system32\w03a2409.dll under
    HKLM\System\CCS\Services\eventlog\System\tcpipv6\EventMessageFile
  • In Windows Server 2003, add the string %systemroot%system32\ws03res.dll under
    HKLM\System\CCS\Services\eventlog\System\tcpipv6\EventMessageFile